Announcement Announcement Module
No announcement yet.
Implementing RunAsManager. Need advice Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Implementing RunAsManager. Need advice

    Hey guys,

    I plan to implement RunAsManager since I believe it's the only way to reset the authentication object stored in the SecurityContext. The reason why I want this implemented is because after the user logs in, I have another authentication page which asks for the users email. When the user enters the correct email address, I would want to add a GrantedAuthority to his current list of Authorities. Is this possible and is this the best way to do this?

    Basically, I want my web application to function like this:

    1. User logs in, enters username and password. Upon successfully authentication, user will have a role called ROLE_LOGIN
    2. After successful login, the user gets redirected to a page where the user should supply his/her own email address. If the email address is valid, add another authority in his List<GrantedAuthority> called ROLE_USER.
    Last edited by mportugal; Feb 6th, 2013, 05:43 AM. Reason: More information

  • #2
    Why would you need a RuNAsManager for that?!

    Get current authentication object from security context, create a new one with additional role, put that new one in security context and you are good to go.


    • #3
      Is that safe? Is there any other way to alter the Authentication object besides retrieving and updating the SecurityContext manually?


      • #4
        No... Why should there be another way, that is also what Spring Security does, the new object is stored after the request so on subsequent requests you have the new instance.